Created
May 18, 2016 22:52
-
-
Save pida42/58c8254475757394a055c85c9ed0ce8a to your computer and use it in GitHub Desktop.
Fail2Ban - SMTP fiters that helps me resolve attacked mail server with Postfix and Dovecot
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## content of: /etc/fail2ban/jail.local | |
[mail-smtp] | |
enabled = true | |
logpath = /var/log/mail.log | |
filter = mail-smtp | |
maxretry = 1 | |
action = iptables-multiport[name=mail-smtp, port="25,587", protocol=tcp] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## content of: /etc/fail2ban/filter.d/mail-smtp.conf | |
[Definition] | |
## | |
# May 15 07:19:07 mail postfix/smtpd[10583]: warning: unknown[185.3.133.174]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 | |
# May 18 12:53:45 mail postfix/smtpd[10926]: warning: 41.222.52.105: address not listed for hostname na.cyberlogic.co.za | |
# May 15 06:26:01 mail postfix/smtp[29807]: B79961A8C29F: ***, relay=none, delay=0.02, delays=0.01/0/0.01/0, dsn=4.4.1, status=deferred (connect to ***.******.**[***.***.***.***]:25: Connection refused) | |
# May 15 06:26:34 mail postfix/smtp[30395]: 403CB1A8C751: *** status=deferred (host ******[***.***.***.***] said: 454 4.7.1 ***: Relay access denied (in reply to RCPT TO command)) | |
# May 18 23:09:50 mail postfix/smtp[5844]: 808EB1A8C2B7: lost connection with mta7.am0.yahoodns.net[63.250.192.46] while sending RCPT TO | |
# May 18 23:53:16 mail postfix/error[32147]: 6E6431A8C2CE: to=<rgaz1018@aol.com> *** status=deferred (delivery temporarily suspended: connect to mailin-04.mx.aol.com[64.12.88.132]:25: Connection timed out) | |
# May 14 23:26:50 mail postfix/smtpd[31643]: warning: non-SMTP command from unknown[177.11.51.103]: From: sftjh@******* | |
## | |
failregex = warning: (?:.*\[<HOST>\]\:.*) SASL (PLAIN|LOGIN) authentication failed: .*$ | |
warning: <HOST>: address not listed for hostname .*$ | |
status=deferred \(connect to (?:.*\[<HOST>\]\:.*)(?:\d.\:.*) Connection refused\)$ | |
status=deferred \(host (?:.*\[<HOST>\] said\:.*\:) Relay access denied \(.*RCPT TO.*\)\)$ | |
lost connection with (?:.*\[<HOST>\].*) while sending RCPT TO$ | |
status=deferred \(delivery temporarily suspended\: connect to (?:.*\[<HOST>\]\:.*)(?:\d.\:.*) Connection timed out\)$ | |
warning: non-SMTP command from (?:.*\[<HOST>\]\:.*) From: .*$ | |
ignoreregex = |
thanks for sharing, this worked so much better than the other crap i'd tried before. after years(!) finally it does what it should.
You are welcome...
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
thanks for sharing, this worked so much better than the other crap i'd tried before. after years(!) finally it does what it should.